[
https://issues.apache.org/jira/browse/KAFKA-19951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18042192#comment-18042192
]
Mickael Maison commented on KAFKA-19951:
----------------------------------------
I'm supportive to replace lz4-java as it's not maintained anymore. According to
https://github.com/lz4/lz4-java/issues/233#issuecomment-3590188502, it seems
at.yawk.lz4 is blessed as the community replacement by the lz4 project.
Now regarding CVE‐2025‐12183, it seems the vulnerability is in the
LZ4_decompress_fast() method from LZ4, which is exposed as
LZ4JNIFastDecompressor in lz4-java. Kafka only uses LZ4SafeDecompressor and
that only calls LZ4_decompress_safe(). So my initial assessment is that Kafka
is not vulnerable.
I'm not a security nor lz4 expert, so please correct me if I'm wrong or if you
have any more information. Still it would be good to switch to a supported
library as all code scanners will flag the lz4-java-1.8.0 as vulnerable even if
Kafka is not affected.
> switch lz4-java to at.yawk.lz4 version due to CVE
> -------------------------------------------------
>
> Key: KAFKA-19951
> URL: https://issues.apache.org/jira/browse/KAFKA-19951
> Project: Kafka
> Issue Type: Bug
> Components: compression
> Reporter: PJ Fanning
> Priority: Major
>
> https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183
> https://github.com/search?q=repo%3Aapache%2Fkafka%20lz4-java&type=code
> The fork jar is a drop in replacement (same package name as the original jar)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
